Lí thuyết số là môn cơ bản cho các bạn ôn thi học sinh giỏi quốc tế, là một trong những dạng toán hay và hay gặp, cuốn ebook cung cấp cho các bạn một hệ thống lí thuyết khá hay và đầy đủ This is a textbook about prime numbers, congruences, basic publickey cryptography, quadratic reciprocity, continued fractions, elliptic curves, and number theory algorithms. We assume the reader has some familiarity with groups, rings, and fields, and for Chapter 7 some programming experience. This book grew out of an undergraduate course that the author taught at Harvard University in 2001 and 2002.
Trang 1This is page iPrinter: Opaque this
Elementary Number Theory
William Stein
September 2004
Trang 2To my students and my wife, Clarita Lefthand
Trang 3This is page iii Printer: Opaque this
Contents
1.1 Prime Factorization 5
1.2 The Sequence of Prime Numbers 13
1.3 Exercises 19
2 The Ring of Integers Modulo n 21 2.1 Congruences Modulo n 21
2.2 The Chinese Remainder Theorem 27
2.3 Quickly Computing Inverses and Huge Powers 29
2.4 Finding Primes 33
2.5 The Structure of (Z/pZ)∗ 34
2.6 Exercises 38
3 Public-Key Cryptography 43 3.1 The Diffie-Hellman Key Exchange 46
3.2 The RSA Cryptosystem 51
3.3 Attacking RSA 54
3.4 Exercises 58
4 Quadratic Reciprocity 59 4.1 Statement of the Quadratic Reciprocity Law 60
4.2 Euler’s Criterion 62
Trang 4Contents 1
4.3 First Proof of Quadratic Reciprocity 63
4.4 A Proof of Quadratic Reciprocity Using Gauss Sums 68
4.5 Finding Square Roots 72
4.6 Exercises 74
5 Continued Fractions 77 5.1 Finite Continued Fractions 78
5.2 Infinite Continued Fractions 83
5.3 The Continued Fraction of e 88
5.4 Quadratic Irrationals 91
5.5 Recognizing Rational Numbers 96
5.6 Sums of Two Squares 97
5.7 Exercises 100
6 Elliptic Curves 103 6.1 The Group Structure on an Elliptic Curve 104
6.2 Integer Factorization Using Elliptic Curves 107
6.3 Elliptic Curve Cryptography 112
6.4 Elliptic Curves Over the Rational Numbers 116
6.5 Exercises 121
7 Computational Number Theory 123 7.1 Prime Numbers 125
7.2 The Ring of Integers Modulo n 131
7.3 Public-Key Cryptography 139
7.4 Quadratic Reciprocity 145
7.5 Continued Fractions 148
7.6 Elliptic Curves 152
7.7 Exercises 165
Trang 52 Contents
Trang 6This is page 3Printer: Opaque this
Preface
This is a textbook about prime numbers, congruences, basic public-key
cryptography, quadratic reciprocity, continued fractions, elliptic curves, and
number theory algorithms We assume the reader has some familiarity with
groups, rings, and fields, and for Chapter 7 some programming experience
This book grew out of an undergraduate course that the author taught at
Harvard University in 2001 and 2002
Notation and Conventions We let N = {1, 2, 3, } denote the natural
numbers, and use the standard notation Z, Q, R, and C for the rings of
integer, rational, real, and complex numbers, respectively In this book we
will use the words proposition, theorem, lemma, and corollary as follows
Usually a proposition is a less important or less fundamental assertion, a
theorem a deeper culmination of ideas, a lemma something that we will
use later in this book to prove a proposition or theorem, and a corollary
an easy consequence of a proposition, theorem, or lemma
Acknowledgements Brian Conrad and Ken Ribet made a large number
of clarifying comments and suggestions throughout the book Baurzhan
Bektemirov, Lawrence Cabusora, and Keith Conrad read drafts of this book
and made many comments Frank Calegari used the course when teaching
Math 124 at Harvard, and he and his students provided much feedback
Noam Elkies made comments and suggested Exercise 4.5 Seth Kleinerman
wrote a version of Section 5.3 as a class project Samit Dasgupta, George
Stephanides, Kevin Stern, and Heidi Williams all suggested corrections I
Trang 74 Contents
also benefited from conversations with Henry Cohn and David Savitt Iused Emacs, LATEX, and Python in the preparation of this book
Trang 8This is page 5Printer: Opaque this
1
Prime Numbers
In Section 1.1 we describe how the integers are built out of the prime
numbers 2, 3, 5, 7, 11, In Section 1.2 we discuss theorems about the set
of primes numbers, starting with Euclid’s proof that this set is infinite,
then explore the distribution of primes via the prime number theorem and
the Riemann Hypothesis (without proofs)
1.1 Prime Factorization
1.1.1 Primes
The set of natural numbers is
N = {1, 2, 3, 4, },and the set of integers is
Z = { , −2, −1, 0, 1, 2, }
Definition 1.1.1 (Divides) If a, b ∈ Z we say that a divides b, written
a | b, if ac = b for some c ∈ Z In this case we say a is a divisor of b We say
that a does not divide b, written a - b, if there is no c ∈ Z such that ac = b
For example, we have 2 | 6 and −3 | 15 Also, all integers divide 0, and 0
divides only 0 However, 3 does not divide 7 in Z
Remark 1.1.2 The notation b .: a for “b is divisible by a” is common in
Russian literature on number theory
Trang 96 1 Prime Numbers
Definition 1.1.3 (Prime and Composite) An integer n > 1 is prime
if it the only positive divisors of n are 1 and n We call n composite if n isnot prime
The number 1 is neither prime nor composite The first few primes of Nare
2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, ,and the first few composites are
4, 6, 8, 9, 10, 12, 14, 15, 16, 18, 20, 21, 22, 24, 25, 26, 27, 28, 30, 32, 33, 34, Remark 1.1.4 J H Conway argues in [Con97, viii] that −1 should beconsidered a prime, and in the 1914 table [Leh14], Lehmer considers 1 to
be a prime In this book we consider neither −1 nor 1 to be prime.Every natural number is built, in a unique way, out of prime numbers:Theorem 1.1.5 (Fundamental Theorem of Arithmetic) Every nat-ural number can be written as a product of primes uniquely up to order.Note that primes are the products with only one factor and 1 is theempty product
Remark 1.1.6 Theorem 1.1.5, which we will prove in Section 1.1.4, is ier to prove than you might first think For example, unique factorizationfails in the ring
trick-Z[√
−5] = {a + b√−5 : a, b ∈ Z} ⊂ C,where 6 factors into irreducible elements in two different ways:
2 · 3 = 6 = (1 +√−5) · (1 −√−5)
1.1.2 The Greatest Common Divisor
We will use the notion of greatest common divisor of two integers to provethat if p is a prime and p | ab, then p | a or p | b Proving this is the keystep in our proof of Theorem 1.1.5
Definition 1.1.7 (Greatest Common Divisor) Let
gcd(a, b) = max {d ∈ Z : d | a and d | b} ,unless both a and b are 0 in which case gcd(0, 0) = 0
For example, gcd(1, 2) = 1, gcd(6, 27) = 3, and for any a, gcd(0, a) =gcd(a, 0) = a
If a 6= 0, the greatest common divisor exists because if d | a then d ≤ a,and there are only a positive integers ≤ a Similarly, the gcd exists when
b 6= 0
Trang 101.1 Prime Factorization 7
Lemma 1.1.8 For any integers a and b we have
gcd(a, b) = gcd(b, a) = gcd(±a, ±b) = gcd(a, b − a) = gcd(a, b + a).Proof We only prove that gcd(a, b) = gcd(a, b − a), since the other casesare proved in a similar way Suppose d | a and d | b, so there exist integers
c1and c2such that dc1= a and dc2= b Then b−a = dc2−dc1= d(c2−c1),
so d | b − a Thus gcd(a, b) ≤ gcd(a, b − a), since the set over which we aretaking the max for gcd(a, b) is a subset of the set for gcd(a, b − a) Thesame argument with a replaced by −a and b replaced by b − a, shows thatgcd(a, b − a) = gcd(−a, b − a) ≤ gcd(−a, b) = gcd(a, b), which proves thatgcd(a, b) = gcd(a, b − a)
Lemma 1.1.9 Suppose a, b, n ∈ Z Then gcd(a, b) = gcd(a, b − an).Proof By repeated application of Lemma 1.1.8, we have
gcd(a, b) = gcd(a, b − a) = gcd(a, b − 2a) = · · · = gcd(a, b − 2n)
Assume for the moment that we have already proved Theorem 1.1.5
A natural (and naive!) way to compute gcd(a, b) is to factor a and b as
a product of primes using Theorem 1.1.5; then the prime factorization ofgcd(a, b) can read off from that of a and b For example, if a = 2261 and
b = 1275, then a = 7 · 17 · 19 and b = 3 · 52· 17, so gcd(a, b) = 17 It turnsout that the greatest common divisor of two integers, even huge numbers(millions of digits), is surprisingly easy to compute using Algorithm 1.1.12below, which computes gcd(a, b) without factoring a or b
To motivate Algorithm 1.1.12, we compute gcd(2261, 1275) in a differentway First, we recall a helpful fact
Proposition 1.1.10 Suppose that a and b are integers with b 6= 0 Thenthere exists unique integers q and r such that 0 ≤ r < |b| and a = bq + r.Proof For simplicity, assume that both a and b are positive (we leave thegeneral case to the reader) Let Q be the set of all nonnegative integers nsuch that a − bn is nonnegative Then Q is nonempty because 0 ∈ Q and Q
is bounded because a − bn < 0 for all n > a/b Let q be the largest element
of Q Then r = a − bq < b, otherwise q + 1 would also be in Q Thus qand r satisfy the existence conclusion
To prove uniqueness, suppose for the sake of contradiction that q0 and
r0 = a − bq0 also satisfy the conclusion but that q0 6= q Then q0 ∈ Q since
r0 = a − bq0 ≥ 0, so q0 < q and we can write q0 = q − m for some m > 0.But then r0 = a − bq0 = a − b(q − m) = a − bq + bm = r + bm > b since
r ≥ 0, a contradiction
Trang 118 1 Prime Numbers
For us an algorithm is a finite sequence of instructions that can be lowed to perform a specific task, such as a sequence of instructions in acomputer program, which must terminate on any valid input The word “al-gorithm” is sometimes used more loosely (and sometimes more precisely)than defined here, but this definition will suffice for us
fol-Algorithm 1.1.11 (Division fol-Algorithm) Suppose a and b are integerswith b 6= 0 This algorithm computes integers q and r such that 0 ≤ r < |b|and a = bq + r We will not describe the actual steps of this algorithm, since
it is just the familiar long division algorithm
We use the division algorithm repeatedly to compute gcd(2261, 1275).Dividing 2261 by 1275 we find that
2261 = 1 · 1275 + 986,
so q = 1 and r = 986 Notice that if a natural number d divides both 2261and 1275, then d divides their difference 986 and d still divides 1275 Onthe other hand, if d divides both 1275 and 986, then it has to divide theirsum 2261 as well! We have made progress:
Aside from some tedious arithmetic, that computation was systematic, and
it was not necessary to factor any integers (which is something we do notknow how to do quickly if the numbers involved have hundreds of digits).Algorithm 1.1.12 (Greatest Common Division) Given integers a, b,this algorithm computes gcd(a, b)
1 [Assume a > b ≥ 0] We have gcd(a, b) = gcd(|a|, |b|) = gcd(|b|, |a|),
so we may replace a and b by their absolute value and hence assume
a, b ≥ 0 If a = b output a and terminate Swapping if necessary weassume a > b
Trang 121.1 Prime Factorization 9
2 [Quotient and Remainder] Using Algorithm 1.1.11, write a = bq +r, with
0 ≤ r < b and q ∈ Z
3 [Finished?] If r = 0 then b | a, so we output b and terminate
4 [Shift and Repeat] Set a ← b and b ← r, then go to step 2
Proof Lemmas 1.1.8–1.1.9 imply that gcd(a, b) = gcd(b, r) so the gcd doesnot change in step 4 Since the remainders form a decreasing sequence ofnonnegative integers, the algorithm terminates
See Section 7.1.1 for an implementation of Algorithm 1.1.12
Example 1.1.13 Set a = 15 and b = 6
15 = 6 · 2 + 3 gcd(15, 6) = gcd(6, 3)
6 = 3 · 2 + 0 gcd(6, 3) = gcd(3, 0) = 3Note that we can just as easily do an example that is ten times as big, anobservation that will be important in the proof of Theorem 1.1.17 below.Example 1.1.14 Set a = 150 and b = 60
al-a + b = 2, since then al-a = b = 1 Now al-assume al-a, b al-are al-arbitral-ary with al-a ≤ b.Let q and r be such that a = bq + r and 0 ≤ r < b Then by Lemmas 1.1.8–1.1.9, we have gcd(a, b) = gcd(b, r) Multiplying a = bq + r by n we seethat an = bnq + rn, so gcd(an, bn) = gcd(bn, rn) Then
Proof Since n | a and n | b, there are integers c1and c2, such that a = nc1
and b = nc2 By Lemma 1.1.15, gcd(a, b) = gcd(nc1, nc2) = n gcd(c1, c2),
so n divides gcd(a, b)
Trang 1310 1 Prime Numbers
At this point it would be natural to formally analyze the complexity ofAlgorithm 1.1.12 We will not do this, because the main reason we intro-duced Algorithm 1.1.12 is that it will allow us to prove Theorem 1.1.5,and we have not chosen to formally analyze the complexity of the otheralgorithms in this book For an extensive analysis of the complexity ofAlgorithm 1.1.12, see [Knu98, §4.5.3]
With Algorithm 1.1.12, we can prove that if a prime divides the product
of two numbers, then it has got to divide one of them This result is thekey to proving that prime factorization is unique
Theorem 1.1.17 (Euclid) Let p be a prime and a, b ∈ N If p | ab then
p | a or p | b
You might think this theorem is “intuitively obvious”, but that might bebecause the fundamental theorem of arithmetic (Theorem 1.1.5) is deeplyingrained in your intuition Yet Theorem 1.1.17 will be needed in our proof
of the fundamental theorem of arithmetic
Proof of Theorem 1.1.17 If p | a we are done If p - a then gcd(p, a) = 1,since only 1 and p divide p By Lemma 1.1.15, gcd(pb, ab) = b Since p | pband, by hypothesis, p | ab, it follows from Lemma 1.1.15 that
p | gcd(pb, ab) = b
1.1.3 Numbers Factor as Products of Primes
In this section, we prove that every natural number factors as a product
of primes Then we discuss the difficulty of finding such a decomposition
in practice We will wait until Section 1.1.4 to prove that factorization isunique
As a first example, let n = 1275 The sum of the digits of n is divisible
by 3, so n is divisible by 3 (see Proposition 2.1.3), and we have n = 3 · 425.The number 425 is divisible by 5, since its last digit is 5, and we have
1275 = 3 · 5 · 85 Again, dividing 85 by 5, we have 1275 = 3 · 52 · 17,which is the prime factorization of 1275 Generalizing this process provesthe following proposition:
Proposition 1.1.18 Every natural number is a product of primes.Proof Let n be a natural number If n = 1, then n is the empty product
of primes If n is prime, we are done If n is composite, then n = ab with
a, b < n By induction, a and b are products of primes, so n is also a product
of primes
Two questions immediately arise: (1) is this factorization unique, and(2) how quickly can we find such a factorization? Addressing (1), what if
Trang 141.1 Prime Factorization 11
we had done something differently when breaking apart 1275 as a product
of primes? Could the primes that show up be different? Let’s try: we have
1275 = 5 · 255 Now 255 = 5 · 51 and 51 = 17 · 3, and again the factorization
is the same, as asserted by Theorem 1.1.5 above We will prove uniqueness
of the prime factorization of any integer in Section 1.1.4
Regarding (2), there are algorithms for integer factorization; e.g., in tions 6.2 and 7.1.3 we will study and implement some of them It is a majoropen problem to decide how fast integer factorization algorithms can be.Open Problem 1.1.19 Is there an algorithm which can factor any inte-ger n in polynomial time? (See below for the meaning of polynomial time.)
Sec-By polynomial time we mean that there is a polynomial f (x) such thatfor any n the number of steps needed by the algorithm to factor n is lessthan f (log10(n)) Note that log10(n) is an approximation for the number
of digits of the input n to the algorithm
Peter Shor [Sho97] devised a polynomial time algorithm for factoringintegers on quantum computers We will not discuss his algorithm further,except to note that in 2001 IBM researchers built a quantum computerthat used Shor’s algorithm to factor 15 (see [LMG+01, IBM01])
You can earn money by factoring certain large integers Many tems would be easily broken if factoring certain large integers were easy.Since nobody has proven that factoring integers is difficult, one way to in-crease confidence that factoring is difficult is to offer cash prizes for factor-ing certain integers For example, until recently there was a $10000 bounty
cryptosys-on factoring the following 174-digit integer (see [RSA]):
188198812920607963838697239461650439807163563379417382700763356422988859715234665485319060606504743045317388011303396716199692321205734031879550656996221305168759307650257059This number is known as RSA-576 since it has 576 digits when written inbinary (see Section 2.3.2 for more on binary numbers) It was factored at theGerman Federal Agency for Information Technology Security in December
2003 (see [Wei03]):
398075086424064937397125500550386491199064362342526708406385189575946388957261768583317
×
472772146107435302536223071973048224632914695302097116459852171130520711256363590397527
The previous RSA challenge was the 155-digit number
10941738641570527421809707322040357612003732945449205990913842131476349984288934784717997257891267332497625752899781833797076537244027146743531593354333897
Trang 1512 1 Prime Numbers
It was factored on 22 August 1999 by a group of sixteen researchers in fourmonths on a cluster of 292 computers (see [ACD+99]) They found thatRSA-155 is the product of the following two 78-digit primes:
p = 102639592829741105772054196573991675900716567808038066803341933521790711307779
q = 106603488380168454820927220360012878679207958575989291522270608237193062808643
The next RSA challenge is RSA-640:
3107418240490043721350750035888567930037346022842727545720161948823206440518081504556346829671723286782437916272838033415471073108501919548529007337724822783525742386454014691736602477652346609,
and its factorization is worth $20000
These RSA numbers were factored using an algorithm called the numberfield sieve (see [LL93]), which is the best-known general purpose factoriza-tion algorithm A description of how the number field sieve works is beyondthe scope of this book However, the number field sieve makes extensive use
of the elliptic curve factorization method, which we will describe in tion 6.2
Sec-1.1.4 The Fundamental Theorem of Arithmetic
We are ready to prove Theorem 1.1.5 using the following idea Suppose
we have two factorizations of n Using Theorem 1.1.17 we cancel commonprimes from each factorization, one prime at a time At the end, we dis-cover that the factorizations must consist of exactly the same primes Thetechnical details are given below
Proof If n = 1, then the only factorization is the empty product of primes,
so suppose n > 1
By Proposition 1.1.18, there exist primes p1, , pd such that
n = p1p2· · · pd.Suppose that
n = q1q2· · · qm
is another expression of n as a product of primes Since
p1| n = q1(q2· · · qm),Euclid’s theorem implies that p1 = q1 or p1 | q2· · · qm By induction, wesee that p1= qi for some i
Now cancel p1 and qi, and repeat the above argument Eventually, wefind that, up to order, the two factorizations are the same
Trang 161.2 The Sequence of Prime Numbers 13
1.2 The Sequence of Prime Numbers
This section is concerned with three questions:
1 Are there infinitely many primes?
2 Given a, b ∈ Z, are there infinitely many primes of the form ax + b?
3 How are the primes spaced along the number line?
We first show that there are infinitely many primes, then state Dirichlet’stheorem that if gcd(a, b) = 1, then ax + b is a prime for infinitely manyvalues of x Finally, we discuss the Prime Number Theorem which assertsthat there are asymptotically x/ log(x) primes less than x, and we make aconnection between this asymptotic formula and the Riemann Hypothesis
1.2.1 There Are Infinitely Many Primes
Each number on the left in the following table is prime We will see soonthat this pattern does not continue indefinitely, but something similarworks
Proof Suppose that p1, p2, , pn are n distinct primes We construct aprime pn+1not equal to any of p1, , pn as follows If
N = p1p2p3· · · pn+ 1, (1.2.1)then by Proposition 1.1.18 there is a factorization
N = q1q2· · · qm
with each qi prime and m ≥ 1 If q1= pi for some i, then pi| N Because
of (1.2.1), we also have pi | N − 1, so pi | 1 = N − (N − 1), which is acontradiction Thus the prime pn+1 = q1 is not in the list p1, , pn, and
we have constructed our new prime
For example,
2 · 3 · 5 · 7 · 11 · 13 + 1 = 30031 = 59 · 509
Multiplying together the first 6 primes and adding 1 doesn’t produce aprime, but it produces an integer that is merely divisible by a new prime
Trang 1714 1 Prime Numbers
Joke 1.2.2 (Hendrik Lenstra) There are infinitely many compositenumbers Proof To obtain a new composite number, multiply together thefirst n composite numbers and don’t add 1
1.2.2 Enumerating Primes
The Sieve of Eratosthenes is an efficient way to enumerate all primes up
to n The sieve works by first writing down all numbers up to n, notingthat 2 is prime, and crossing off all multiples of 2 Next, note that the firstnumber not crossed off is 3, which is prime, and cross off all multiples of 3,etc Repeating this process, we obtain a list of the primes up to n Formally,the algorithm is as follows:
Algorithm 1.2.3 (Sieve of Eratosthenes) Given a positive integer n,this algorithm computes a list of the primes up to n
1 [Initialize] Let X ← [3, 5, ] be the list of all odd integers between 3and n Let P ← [2] be the list of primes found so far
2 [Finished?] Let p to be the first element of X If p ≥√n, append eachelement of X to P and terminate Otherwise append p to P
3 [Cross Off] Set X equal to the sublist of elements in X that are notdivisible by p Go to step 2
For example, to list the primes ≤ 40 using the sieve, we proceed asfollows First P = [2] and
i with the pi distinctprimes and p1 < p2 < If pi >√
n for each i and there is more thanone pi, then m > n, a contradiction Thus some pi is less than√
n, whichalso contradicts out assumptions on m
See Section 7.1.2 for an implementation of Algorithm 1.2.3
Trang 181.2 The Sequence of Prime Numbers 15
1.2.3 The Largest Known Prime
Though Theorem 1.2.1 implies that there are infinitely many primes, it stillmakes sense to ask the question “What is the largest known prime?”
A Mersenne prime is a prime of the form 2q− 1 According to [Cal] thelargest known prime as of July 2004 is the Mersenne prime
p = 224036583− 1,which has 7235733 decimal digits, so writing it out would fill over 10 booksthe size if this book Euclid’s theorem implies that there definitely is a primebigger than this 7.2 million digit p Deciding whether or not a number isprime is interesting, both as a motivating problem and for applications tocryptography, as we will see in Section 2.4 and Chapter 3
1.2.4 Primes of the Form ax + b
Next we turn to primes of the form ax + b, where a and b are fixed integerswith a > 1 and x varies over the natural numbers N We assume thatgcd(a, b) = 1, because otherwise there is no hope that ax + b is primeinfinitely often For example, 2x + 2 = 2(x + 1) is only prime if x = 0, and
is not prime for any other x ∈ N
Proposition 1.2.4 There are infinitely many primes of the form 4x − 1.Why might this be true? We list numbers of the form 4x−1 and underlinethose that are prime:
Note that this proof does not work if 4x − 1 is replaced by 4x + 1, since
a product of primes of the form 4x − 1 can be of the form 4x + 1
Example 1.2.5 Set p1= 3, p2= 7 Then
N = 4 · 3 · 7 − 1 = 83
Trang 1916 1 Prime Numbers
is a prime of the form 4x − 1 Next
N = 4 · 3 · 7 · 83 − 1 = 6971,which is again a prime of the form 4x − 1 Again:
N = 4 · 3 · 7 · 83 · 6971 − 1 = 48601811 = 61 · 796751
This time 61 is a prime, but it is of the form 4x + 1 = 4 · 15 + 1 However,
796751 is prime and 796751 = 4 · 199188 − 1 We are unstoppable:
1.2.5 How Many Primes are There?
We saw in Section 1.2.1 that there are infinitely many primes In order toget a sense for just how many primes there are, we consider a few warm-upquestions Then we consider some numerical evidence and state the primenumber theorem, which gives an asymptotic answer to our question, andconnect this theorem with a form of the Riemann Hypothesis Our discus-sion of counting primes in this section is very cursory; for more details,read Crandall and Pomerance’s excellent book [CP01, §1.1.5]
The following vague discussion is meant to motivate a precise way to sure the number of primes How many natural numbers are even? Answer:Half of them How many natural numbers are of the form 4x − 1? Answer:One fourth of them How many natural numbers are perfect squares? An-swer: Zero percent of all natural numbers, in the sense that the limit of theproportion of perfect squares to all natural numbers converges to 0 Moreprecisely,
mea-lim
x→∞
#{n ∈ N : n ≤ x and n is a perfect square}
since the numerator is roughly√
x and limx→∞√xx = 0 Likewise, it is aneasy consequence of Theorem 1.2.8 below that zero percent of all naturalnumbers are prime (see Exercise 1.4)
We are thus led to ask another question: How many positive integers ≤ xare perfect squares? Answer: roughly√
x In the context of primes, we ask,
Trang 201.2 The Sequence of Prime Numbers 17TABLE 1.1 Values of π(x)
Graph of π(x)
FIGURE 1.1 Graph of π(x) for x < 1000
Question 1.2.7 How many natural numbers ≤ x are prime?
Gauss had a lifelong love of enumerating primes Eventually he computedπ(3000000), though the author doesn’t know whether or not Gauss got theright answer, which is 216816 Gauss conjectured the following asymptoticformula for π(x), which was later proved independently by Hadamard andVall´ee Poussin in 1896 (but will not be proved in this book):
Theorem 1.2.8 (Prime Number Theorem) The function π(x) isasymptotic to x/ log(x), in the sense that
lim
x→∞
π(x)x/ log(x)= 1.
We do nothing more here than motivate this deep theorem with a fewfurther numerical observations
The theorem implies that
π(x)x/ log(x)−aπ(x)x = 1
Thus x/(log(x) − a) is also asymptotic to π(x) for any a See [CP01, §1.1.5]for a discussion of why a = 1 is the best choice Table 1.2 compares π(x)and x/(log(x) − 1) for several x < 10000
Trang 211000 2000 3000 4000 5000 6000 7000 8000 9000 10000650
xπ(x)
10000 20000 30000 40000 50000 60000 70000 80000 90000 1000004800
FIGURE 1.2 Graphs of π(x) for x < 10000 and x < 100000
Trang 22n=1n−s The Riemann Hypothesis isthe conjecture that the zeros in C of ζ(s) with positive real part lie on theline Re(s) = 1/2 This conjecture is one of the Clay Math Institute milliondollar millennium prize problems [Cla].
According to [CP01, §1.4.1], the Riemann Hypothesis is equivalent to theconjecture that
Li(x) =
Z x 2
1log(t)dt
is a “good” approximation to π(x), in the following precise sense:
Conjecture 1.2.9 (Equivalent to the Riemann Hypothesis).For all x ≥ 2.01,
|π(x) − Li(x)| ≤√x log(x)
If x = 2, then π(2) = 1 and Li(2) = 0, but√
2 log(2) = 0.9802 , so theinequality is not true for x ≥ 2, but 2.01 is big enough We will do nothingmore to explain this conjecture, and settle for one numerical example.Example 1.2.10 Let x = 4 · 1022 Then
x→∞
π(x)
x = 0.
Trang 2320 1 Prime Numbers
Trang 24This is page 21Printer: Opaque this
2
The Ring of Integers Modulo n
This chapter is about the ring Z/nZ of integers modulo n First we discuss
when linear equations modulo n have a solution, then introduce the Euler ϕ
function and prove Fermat’s Little Theorem and Wilson’s theorem Next
we prove the Chinese Remainer Theorem, which addresses simultaneous
solubility of several linear equations modulo coprime moduli With these
theoretical foundations in place, in Section 2.3 we introduce algorithms
for doing interesting computations modulo n, including computing large
powers quickly, and solving linear equations We finish with a very brief
discussion of finding prime numbers using arithmetic modulo n
2.1 Congruences Modulo n
In this section we define the ring Z/nZ of integers modulo n, introduce
the Euler ϕ-function, and relate it to the multiplicative order of certain
elements of Z/nZ
If a, b ∈ Z and n ∈ N, we say that a is congruent to b modulo n if n | a−b,
and write a ≡ b (mod n) Let nZ = (n) be the ideal of Z generated by n
Definition 2.1.1 (Integers Modulo n) The ring of integers modulo n
is the quotient ring Z/nZ of equivalence classes of integers modulo n It is
equipped with its natural ring structure:
(a + nZ) + (b + nZ) = (a + b) + nZ(a + nZ) · (b + nZ) = (a · b) + nZ
Trang 2522 2 The Ring of Integers Modulo n
Example 2.1.2 For example,
Z/3Z = {{ , −3, 0, 3, }, { , −2, 1, 4, }, { , −1, 2, 5, }}
We use the notation Z/nZ because Z/nZ is the quotient of the ring Z
by the ideal nZ of multiples of n Because Z/nZ is the quotient of a ring
by an ideal, the ring structure on Z induces a ring structure on Z/nZ Weoften let a or a (mod n) denote the equivalence class a + nZ of a If p is aprime, then Z/pZ is a field (see Exercise 2.11)
We call the natural reduction map Z → Z/nZ, which sends a to a + nZ,reduction modulo n We also say that a is a lift of a + nZ Thus, e.g., 7 is
a lift of 1 mod 3, since 7 + 3Z = 1 + 3Z
We can use that arithmetic in Z/nZ is well defined is to derive tests fordivisibility by n (see Exercise 2.7)
Proposition 2.1.3 A number n ∈ Z is divisible by 3 if and only if thesum of the digits of n is divisible by 3
Proof Write
n = a + 10b + 100c + · · · ,where the digits of n are a, b, c, etc Since 10 ≡ 1 (mod 3),
n = a + 10b + 100c + · · · ≡ a + b + c + · · · (mod 3),
from which the proposition follows
2.1.1 Linear Equations Modulo n
In this section, we are concerned with how to decide whether or not a linearequation of the form ax ≡ b (mod n) has a solution modulo n Algorithmsfor computing solutions to ax ≡ b (mod n) are the topic of Section 2.3.First we prove a proposition that gives a criterion under which one cancancel a quantity from both sides of a congruence
Proposition 2.1.4 (Cancellation) If gcd(c, n) = 1 and
ac ≡ bc (mod n),then a ≡ b (mod n)
Trang 262.1 Congruences Modulo n 23
When a has a multiplicative inverse a0 in Z/nZ (i.e., aa0 ≡ 1 (mod n))then the equation ax ≡ b (mod n) has a unique solution x ≡ a0b (mod n)modulo n Thus, it is of interest to determine the units in Z/nZ, i.e., theelements which have a multiplicative inverse
We will use complete sets of residues to prove that the units in Z/nZare exactly the a ∈ Z/nZ such that gcd(˜a, n) = 1 for any lift ˜a of a to Z(it doesn’t matter which lift)
Definition 2.1.5 (Complete Set of Residues) We call a subset R ⊂ Z
of size n whose reductions modulo n are pairwise distinct a complete set ofresidues modulo n In other words, a complete set of residues is a choice ofrepresentative for each equivalence class in Z/nZ
For example,
R = {0, 1, 2, , n − 1}
is a complete set of residues modulo n When n = 5, R = {0, 1, −1, 2, −2}
is a complete set of residues
Lemma 2.1.6 If R is a complete set of residues modulo n and a ∈ Z withgcd(a, n) = 1, then aR = {ax : x ∈ R} is also a complete set of residuesmodulo n
Proof If ax ≡ ax0 (mod n) with x, x0 ∈ R, then Proposition 2.1.4 impliesthat x ≡ x0 (mod n) Because R is a complete set of residues, this impliesthat x = x0 Thus the elements of aR have distinct reductions modulo n Itfollows, since #aR = n, that aR is a complete set of residues modulo n.Proposition 2.1.7 (Units) If gcd(a, n) = 1, then the equation ax ≡ b(mod n) has a solution, and that solution is unique modulo n
Proof Let R be a complete set of residues modulo n, so there is a uniqueelement of R that is congruent to b modulo n By Lemma 2.1.6, aR is also
a complete set of residues modulo n, so there is a unique element ax ∈ aRthat is congruent to b modulo n, and we have ax ≡ b (mod n)
Algebraically, this proposition asserts that if gcd(a, n) = 1, then the mapZ/nZ → Z/nZ given by left multiplication by a is a bijection
Example 2.1.8 Consider the equation 2x ≡ 3 (mod 7), and the completeset R = {0, 1, 2, 3, 4, 5, 6} of coset representatives We have
2R = {0, 2, 4, 6, 8 ≡ 1, 10 ≡ 3, 12 ≡ 5},
so 2 · 5 ≡ 3 (mod 7)
When gcd(a, n) 6= 1, then the equation ax ≡ b (mod n) may or maynot have a solution For example, 2x ≡ 1 (mod 4) has no solution, but2x ≡ 2 (mod 4) does, and in fact it has more than one mod 4 (x = 1and x = 3) Generalizing Proposition 2.1.7, we obtain the following moregeneral criterion for solvability
Trang 2724 2 The Ring of Integers Modulo n
Proposition 2.1.9 (Solvability) The equation ax ≡ b (mod n) has asolution if and only if gcd(a, n) divides b
Proof Let g = gcd(a, n) If there is a solution x to the equation ax ≡ b(mod n), then n | (ax − b) Since g | n and g | a, it follows that g | b.Conversely, suppose that g | b Then n | (ax − b) if and only if
n
g |µ agx −gb
¶
Thus ax ≡ b (mod n) has a solution if and only if agx ≡ gb (mod ng) has
a solution Since gcd(a/g, n/g) = 1, Proposition 2.1.7 implies this latterequation does have a solution
In Chapter 4 we will study quadratic reciprocity, which gives a nicecriterion for whether or not a quadratic equation modulo n has a solution
2.1.2 Fermat’s Little Theorem
The group of units (Z/nZ)∗ of the ring Z/nZ will be of great interest
to us Each element of this group has an order, and Lagrange’s theoremfrom group theory implies that each element of (Z/nZ)∗ has order thatdivides the order of (Z/nZ)∗ In elementary number theory this fact goes
by the monicker “Fermat’s Little Theorem”, and we reprove it from basicprinciples in this section
Definition 2.1.10 (Order of an Element) Let n ∈ N and x ∈ Z andsuppose that gcd(x, n) = 1 The order of x modulo n is the smallest m ∈ Nsuch that
xm≡ 1 (mod n)
To show that the definition makes sense, we verify that such an m exists.Consider x, x2, x3, modulo n There are only finitely many residue classesmodulo n, so we must eventually find two integers i, j with i < j such that
xj ≡ xi (mod n)
Since gcd(x, n) = 1, Proposition 2.1.4 implies that we can cancel x’s andconclude that
xj−i≡ 1 (mod n)
Definition 2.1.11 (Euler’s phi-function) For n ∈ N, let
ϕ(n) = #{a ∈ N : a ≤ n and gcd(a, n) = 1}
Trang 282.1 Congruences Modulo n 25
For example,
ϕ(1) = #{1} = 1,ϕ(2) = #{1} = 1,ϕ(5) = #{1, 2, 3, 4} = 4,ϕ(12) = #{1, 5, 7, 11} = 4
Also, if p is any prime number then
ϕ(p) = #{1, 2, , p − 1} = p − 1
In Section 2.2.1, we will prove that ϕ is a multiplicative function This willyield an easy way to compute ϕ(n) in terms of the prime factorization of n.Theorem 2.1.12 (Fermat’s Little Theorem) If gcd(x, n) = 1, then
xϕ(n)≡ 1 (mod n)
Proof As mentioned above, Fermat’s Little Theorem has the followinggroup-theoretic interpretation The set of units in Z/nZ is a group
(Z/nZ)∗= {a ∈ Z/nZ : gcd(a, n) = 1}
which has order ϕ(n) The theorem then asserts that the order of an element
of (Z/nZ)∗ divides the order ϕ(n) of (Z/nZ)∗ This is a special case of themore general fact (Lagrange’s theorem) that if G is a finite group and
g ∈ G, then the order of g divides the cardinality of G
We now give an elementary proof of the theorem Let
P = {a : 1 ≤ a ≤ n and gcd(a, n) = 1}
In the same way that we proved Lemma 2.1.6, we see that the reductionsmodulo n of the elements of xP are the same as the reductions of theelements of P Thus
Trang 2926 2 The Ring of Integers Modulo n
2.1.3 Wilson’s Theorem
The following characterization of prime numbers, from the 1770s, is called
“Wilson’s Theorem”, though it was first proved by Lagrange
Proposition 2.1.13 (Wilson’s Theorem) An integer p > 1 is prime ifand only if (p − 1)! ≡ −1 (mod p)
For example, if p = 3, then (p − 1)! = 2 ≡ −1 (mod 3) If p = 17, then
p > 2 We first assume that p is prime and prove that (p − 1)! ≡ −1(mod p) If a ∈ {1, 2, , p − 1} then the equation
ax ≡ 1 (mod p)has a unique solution a0∈ {1, 2, , p − 1} If a = a0, then a2≡ 1 (mod p),
so p | a2−1 = (a−1)(a+1), so p | (a−1) or p | (a+1), so a ∈ {1, p−1} Wecan thus pair off the elements of {2, 3, , p − 2}, each with their inverse.Thus
2 · 3 · · · (p − 2) ≡ 1 (mod p)
Multiplying both sides by p − 1 proves that (p − 1)! ≡ −1 (mod p).Next we assume that (p − 1)! ≡ −1 (mod p) and prove that p must beprime Suppose not, so that p ≥ 4 is a composite number Let ` be a primedivisor of p Then ` < p, so ` | (p − 1)! Also, by assumption,
` | p | ((p − 1)! + 1)
This is a contradiction, because a prime can not divide a number a andalso divide a + 1, since it would then have to divide (a + 1) − a = 1.Example 2.1.14 We illustrate the key step in the above proof in the case
p = 17 We have
2·3 · · · 15 = (2·9)·(3·6)·(4·13)·(5·7)·(8·15)·(10·12)·(14·11) ≡ 1 (mod 17),where we have paired up the numbers a, b for which ab ≡ 1 (mod 17)
Trang 302.2 The Chinese Remainder Theorem 27
2.2 The Chinese Remainder Theorem
In this section we prove the Chinese Remainder Theorem, which gives ditions under which a system of linear equations is guaranteed to have asolution In the 4th century a Chinese mathematician asked the following:Question 2.2.1 There is a quantity whose number is unknown Repeat-edly divided by 3, the remainder is 2; by 5 the remainder is 3; and by 7 theremainder is 2 What is the quantity?
con-In modern notation, Question 2.2.1 asks us to find a positive integersolution to the following system of three equations:
x ≡ 2 (mod 3)
x ≡ 3 (mod 5)
x ≡ 2 (mod 7)The Chinese Remainder Theorem asserts that a solution exists, and theproof gives a method to find one (See Section 2.3 for the necessary algo-rithms.)
Theorem 2.2.2 (Chinese Remainder Theorem) Let a, b ∈ Z and
n, m ∈ N such that gcd(n, m) = 1 Then there exists x ∈ Z such that
x ≡ a (mod m),
x ≡ b (mod n)
Moreover x is unique modulo mn
Proof If we can solve for t in the equation
a + tm ≡ b (mod n),then x = a + tm will satisfy both congruences To see that we can solve,subtract a from both sides and use Proposition 2.1.7 together with ourassumption that gcd(n, m) = 1 to see that there is a solution
For uniqueness, suppose that x and y solve both congruences Then z =
x − y satisfies z ≡ 0 (mod m) and z ≡ 0 (mod n), so m | z and n | z Sincegcd(n, m) = 1, it follows that nm | z, so x ≡ y (mod nm)
Algorithm 2.2.3 (Chinese Remainder Theorem) Given coprime tegers m and n and integers a and b, this algorithm find an integer x suchthat x ≡ a (mod m) and x ≡ b (mod n)
in-1 [Extended GCD] Use Algorithm 2.3.3 below to find integers c, d suchthat cm + dn = 1
2 [Answer] Output x = a + (b − a)cm and terminate
Trang 3128 2 The Ring of Integers Modulo n
Proof Since c ∈ Z, we have x ≡ a (mod m), and using that cm + dn = 1,
we have a + (b − a)cm ≡ a + (b − a) ≡ b (mod n)
Now we can answer Question 2.2.1 First, we use Theorem 2.2.2 to find
a solution to the pair of equations
Recall from Definition 2.1.11 that the Euler ϕ-function is
ϕ(n) = #{a : 1 ≤ a ≤ n and gcd(a, n) = 1}
Lemma 2.2.5 Suppose that m, n ∈ N and gcd(m, n) = 1 Then the map
ψ : (Z/mnZ)∗→ (Z/mZ)∗× (Z/nZ)∗ (2.2.1)defined by
ψ(c) = (c mod m, c mod n)
is a bijection
Proof We first show that ψ is injective If ψ(c) = ψ(c0), then m | c − c0 and
n | c − c0, so nm | c − c0 because gcd(n, m) = 1 Thus c = c0 as elements of(Z/mnZ)∗
Next we show that ψ is surjective Given a and b with gcd(a, m) = 1and gcd(b, n) = 1, Theorem 2.2.2 implies that there exists c with c ≡ a(mod m) and c ≡ b (mod n) We may assume that 1 ≤ c ≤ nm, andsince gcd(a, m) = 1 and gcd(b, n) = 1, we must have gcd(c, nm) = 1 Thusψ(c) = (a, b)
Trang 322.3 Quickly Computing Inverses and Huge Powers 29
Proposition 2.2.6 (Multiplicativity of ϕ) The function ϕ is plicative
multi-Proof The map ψ of Lemma 2.2.5 is a bijection, so the set on the left in(2.2.1) has the same size as the product set on the right in (2.2.1) Thus
ϕ(mn) = ϕ(m) · ϕ(n)
The proposition is helpful in computing ϕ(n), at least if we assume we cancompute the factorization of n (see Section 3.3.1 for a connection betweenfactoring n and computing ϕ(n)) For example,
we know it has a solution, and how to efficiently compute am (mod n)
We also discuss a simple probabilistic primality test that relies on ourability to compute am (mod n) quickly All three of these algorithms are
of fundamental importance to the cryptography algorithms of Chapter 3
2.3.1 How to Solve ax ≡ 1 (mod n)
Suppose a, n ∈ N with gcd(a, n) = 1 Then by Proposition 2.1.7 the tion ax ≡ 1 (mod n) has a unique solution How can we find it?
equa-Proposition 2.3.1 (Extended Euclidean representation) Suppose
a, b ∈ Z and let g = gcd(a, b) Then there exists x, y ∈ Z such that
ax + by = g
Remark 2.3.2 If e = cg is a multiple of g, then cax + cby = cg = e, so
e = (cx)a + (cy)b can also be written in terms of a and b
Trang 3330 2 The Ring of Integers Modulo n
Proof of Proposition 2.3.1 Let g = gcd(a, b) Then gcd(a/d, b/d) = 1, so
by Proposition 2.1.9 the equation
a
g · x ≡ 1
µmod bg
to solve linear equations modulo n Since we do not know such an algorithm,
we now discuss a way to explicitly find x and y This algorithm will in factenable us to solve linear equations modulo n—to solve ax ≡ 1 (mod n)when gcd(a, n) = 1, use the algorithm below to find x and y such that
ax + ny = 1 Then ax ≡ 1 (mod n)
Suppose a = 5 and b = 7 The steps of Algorithm 1.1.12 to computegcd(5, 7) are, as follows Here we underlying, because it clarifies the subse-quent back substitution we will use to find x and y
7 = 1· 5 + 2 so 2 = 7 − 5
5 = 2 · 2 + 1 so 1 = 5 − 2 · 2 = 5 − 2(7 − 5) = 3 · 5 − 2 · 7
On the right, we have back-substituted in order to write each partial mainder as a linear combination of a and b In the last step, we obtaingcd(a, b) as a linear combination of a and b, as desired
re-That example was not too complicated, so we try another one Let a =
Thus x = 23 and y = −49 is a solution to 130x + 61y = 1
Algorithm 2.3.3 (Extended Euclidean Algorithm) Suppose a and bare integers and let g = gcd(a, b) This algorithm finds d, x and y such that
ax + by = g We describe only the steps when a > b ≥ 0, since one can easilyreduce to this case
1 [Initialize] Set x ← 1, y ← 0, r ← 0, s ← 1
2 [Finished?] If b = 0, set g ← a and terminate
Trang 342.3 Quickly Computing Inverses and Huge Powers 31
3 [Quotient and Remainder] Use Algorithm 1.1.11 to write a = qb + c with
0 ≤ c < b
4 [Shift] Set (a, b, r, s, x, y) ← (b, c, x − qr, y − qs, r, s) and go to step 2.Proof This algorithm is the same as Algorithm 1.1.12, except that we keeptrack of extra variables x, y, r, s, so it terminates and when it terminates
d = gcd(a, b) We omit the rest of the inductive proof that the algorithm
is correct, and instead refer the reader to [Knu97, §1.2.1] which contains adetailed proof in the context of a discussion of how one writes mathematicalproofs
Algorithm 2.3.4 (Inverse Modulo n) Suppose a and n are integers andgcd(a, n) = 1 This algorithm finds an x such that ax ≡ 1 (mod n)
1 [Compute Extended GCD] Use Algorithm 2.3.3 to compute integers x, ysuch that ax + ny = gcd(a, n) = 1
2 [Finished] Output x
Proof Reduce ax+ny = 1 modulo n to see that x satisfies ax ≡ 1 (mod n)
See Section 7.2.1 for implementations of Algorithms 2.3.3 and 2.3.4.Example 2.3.5 Solve 17x ≡ 1 (mod 61) First, we use Algorithm 2.3.3 tofind x, y such that 17x + 61y = 1:
de-The naive approach to computing am (mod n) is to simply compute
am= a · a · · · a (mod n) by repeatedly multiplying by a and reducing ulo m Note that after each arithmetic operation is completed, we reducethe result modulo n so that the sizes of the numbers involved do not gettoo large Nonetheless, this algorithm is horribly inefficient because it takes
mod-m − 1 mod-multiplications, which is huge if mod-m has hundreds of digits
A much more efficient algorithm for computing am (mod n) involveswriting m in binary, then expressing amas a product of expressions a2i, for
Trang 3532 2 The Ring of Integers Modulo n
various i These latter expressions can be computed by repeatedly squaring
a2 i
This more clever algorithm is not “simpler”, but it is vastly moreefficient since the number of operations needed grows with the number ofbinary digits of m, whereas with the naive algorithm above the number ofoperations is m − 1
Algorithm 2.3.6 (Write a number in binary) Let m be a nonnegativeinteger This algorithm writes m in binary, so it finds εi ∈ {0, 1} such that
1 [Write in Binary] Write m in binary using Algorithm 2.3.6, so am =Q
ε i =1a2 i
(mod n)
2 [Compute Powers] Compute a, a2, a22 = (a2)2, a23 = (a22)2, etc., up
to a2 r
, where r + 1 is the number of binary digits of m
3 [Multiply Powers] Multiply together the a2 i
such that εi = 1, alwaysworking modulo n
See Section 7.2.2 for an implementation of Algorithms 2.3.6 and 2.3.7
We can compute the last 2 digits of 691, by finding 691 (mod 100) Make atable whose first column, labeled i, contains 0, 1, 2, etc The second column,labeled m, is got by dividing the entry above it by 2 and taking the integerpart of the result The third column, labeled εi, records whether or not thesecond column is odd The fourth column is computed by squaring, modulo
n = 100, the entry above it
Trang 362.4 Finding Primes 33
Remark 2.3.8 Alternatively, we could simplify the computation using orem 2.1.12 By that theorem, 6ϕ(100) ≡ 1 (mod 100), so since ϕ(100) =ϕ(22· 52) = (22− 2) · (52− 5) = 40, we have 691≡ 611 (mod 100)
The-2.4 Finding Primes
Theorem 2.4.1 (Pseudoprimality) An integer p > 1 is prime if andonly if for every a 6≡ 0 (mod p),
ap−1≡ 1 (mod p)
Proof If p is prime, then the statement follows from Proposition 2.1.13
If p is composite, then there is a divisor a of p with a 6= 1, p If ap−1 ≡ 1(mod p), then p | ap−1− 1 Since a | p, we have a | ap−1− 1 hence a | 1, acontradiction
Suppose n ∈ N Using this theorem and Algorithm 2.3.7, we can eitherquickly prove that n is not prime, or convince ourselves that n is likelyprime (but not quickly prove that n is prime) For example, if 2n−1 6≡ 1(mod n), then we have proved that n is not prime On the other hand,
if an−1 ≡ 1 (mod n) for a few a, it “seems likely” that n is prime, and
we loosely refer to such a number that seems prime for several bases as apseudoprime
There are composite numbers n (called Carmichael numbers) with theamazing property that an−1≡ 1 (mod n) for all a with gcd(a, n) = 1 Thefirst Carmichael number is 561, and it is a theorem that there are infinitelymany such numbers ([AGP94])
Example 2.4.2 Is p = 323 prime? We compute 2322 (mod 323) Making atable as above, we have
so 323 is not prime, though this computation gives no information about
323 factors as a product of primes In fact, one finds that 323 = 17 · 19
Trang 3734 2 The Ring of Integers Modulo n
It’s possible to easily prove that a large number is composite, but theproof does not easily yield a factorization For example if
n = 95468093486093450983409583409850934850938459083,then 2n−16≡ 1 (mod n), so n is composite
Another practical primality test is the Miller-Rabin test, which has theproperty that each time it is run on a number n it either correctly assertsthat the number is definitely not prime, or that it is probably prime, andthe probability of correctness goes up with each successive call For a pre-cise statement and implementation of Miller-Rabin, along with proof ofcorrectness, see Section 7.2.4 If Miller-Rabin is called m times on n and
in each case claims that n is probably prime, then one can in a precisesense bound the probability that n is composite in terms of m For animplementation of Miller-Rabin, see Listing 7.2.9 in Chapter 7
Until recently it was an open problem to give an algorithm (with proof)that decides whether or not any integer is prime in time bounded by a poly-nomial in the number of digits of the integer Agrawal, Kayal, and Saxenarecently found the first polynomial-time primality test (see [AKS02]) Wewill not discuss their algorithm further, because for our applications tocryptography Miller-Rabin or pseudoprimality tests will be sufficient
2.5 The Structure of (Z/pZ)∗
This section is about the structure of the group (Z/pZ)∗ of units modulo
a prime number p The main result is that this group is always cyclic Wewill use this result later in Chapter 4 in our proof of quadratic reciprocity.Definition 2.5.1 (Primitive root) A primitive root modulo an integer n
is an element of (Z/nZ)∗ of order ϕ(n)
We will prove that there is a primitive root modulo every prime p Sincethe unit group (Z/pZ)∗has order p−1, this implies that (Z/pZ)∗is a cyclicgroup, a fact this will be extremely useful, since it completely determinesthe structure of (Z/pZ)∗ as an abelian group
If n is an odd prime power, then there is a primitive root modulo n (seeExercise 2.25), but there is no primitive root modulo the prime power 23,and hence none mod 2n for n ≥ 3 (see Exercise 2.24)
Section 2.5.1 is the key input to our proof that (Z/pZ)∗ is cyclic; here
we show that for every divisor d of p − 1 there are exactly d elements of(Z/pZ)∗ whose order divides d We then use this result in Section 2.5.2 toproduce an element of (Z/pZ)∗ of order qr when qr is a prime power thatexactly divides p − 1 (i.e., qr divides p − 1, but qr+1does not divide p − 1),and multiply together these elements to obtain an element of (Z/pZ)∗ oforder p − 1
Trang 382.5 The Structure of (Z/pZ) 35
2.5.1 Polynomials over Z/pZ
The polynomials x2− 1 has four roots in Z/8Z, namely 1, 3, 5, and 7
In contrast, the following proposition shows that a polynomial of degree dover a field, such as Z/pZ, can have at most d roots
Proposition 2.5.2 (Root Bound) Let f ∈ k[x] be a nonzero polynomialover a field k Then there are at most deg(f ) elements α ∈ k such that
Proposition 2.5.3 Let p be a prime number and let d be a divisor of
p − 1 Then f = xd− 1 ∈ (Z/pZ)[x] has exactly d roots in Z/pZ
Proof Let e = (p − 1)/d We have
xp−1− 1 = (xd)e− 1
= (xd− 1)((xd)e−1+ (xd)e−2+ · · · + 1)
= (xd− 1)g(x),where g ∈ (Z/pZ)[x] and deg(g) = de − d = p − 1 − d Theorem 2.1.12implies that xp−1− 1 has exactly p − 1 roots in Z/pZ, since every nonzeroelement of Z/pZ is a root! By Proposition 2.5.2, g has at most p − 1 − droots and xd− 1 has at most d roots Since a root of (xd− 1)g(x) is a root
of either xd− 1 or g(x) and xp−1− 1 has p − 1 roots, g must have exactly
p − 1 − d roots and xd− 1 must have exactly d roots, as claimed
We pause to reemphasize that the analogue of Proposition 2.5.3 is falsewhen p is replaced by a composite integer n, since a root mod n of aproduct of two polynomials need not be a root of either factor For example,
f = x2− 1 ∈ Z/15Z[x] has the four roots 1, 4, 11, and 14
Trang 3936 2 The Ring of Integers Modulo n
2.5.2 Existence of Primitive Roots
Recall from Section 2.1.2 that the order of an element x in a finite group
is the smallest m ≥ 1 such that xm = 1 In this section, we prove that(Z/pZ)∗is cyclic by using the results of Section 2.5.1 to produce an element
of (Z/pZ)∗ of order d for each prime power divisor d of p − 1, and then wemultiply these together to obtain an element of order p − 1
We will use the following lemma to assemble elements of each orderdividing p − 1 to produce an element of order p − 1
Lemma 2.5.4 Suppose a, b ∈ (Z/nZ)∗ have orders r and s, respectively,and that gcd(r, s) = 1 Then ab has order rs
Proof This is a general fact about commuting elements of any group; ourproof only uses that ab = ba and nothing special about (Z/nZ)∗ Since
(ab)rs= arsbrs= 1,the order of ab is a divisor of rs Write this divisor as r1s1 where r1| r and
s1| s Raise both sides of the equation
i roots There are qni
i − qni −1
qni −1
i (qi− 1) elements a ∈ Z/pZ such that aqini = 1 but aqini−1 6= 1; each
of these elements has order qni
i Thus for each i = 1, , r, we can choose
Trang 402.5 The Structure of (Z/pZ) 37
Example 2.5.6 We illustrate the proof of Theorem 2.5.5 when p = 13 Wehave
p − 1 = 12 = 22· 3
The polynomial x4− 1 has roots {1, 5, 8, 12} and x2− 1 has roots {1, 12},
so we may take a1= 5 The polynomial x3− 1 has roots {1, 3, 9}, and weset a2= 3 Then a = 5 · 3 = 15 ≡ 2 is a primitive root To verify this, notethat the successive powers of 2 (mod 13) are
2, 4, 8, 3, 6, 12, 11, 9, 5, 10, 7, 1
Example 2.5.7 Theorem 2.5.5 is false if, e.g., p is replaced by a power of 2bigger than 4 For example, the four elements of (Z/8Z)∗ each have orderdividing 2, but ϕ(8) = 4
Theorem 2.5.8 (Primitive Roots mod pn) Let pn be a power of anodd prime Then there is a primitive root modulo pn
The proof is left as Exercise 2.25
Proposition 2.5.9 (Number of primitive roots) If there is a primitiveroot modulo n, then there are exactly ϕ(ϕ(n)) primitive roots modulo n.Proof The primitive roots modulo n are the generators of (Z/nZ)∗, which
by assumption is cyclic of order ϕ(n) Thus they are in bijection with thegenerators of any cyclic group of order ϕ(n) In particular, the number ofprimitive roots modulo n is the same as the number of elements of Z/ϕ(n)Zwith additive order ϕ(n) An element of Z/ϕ(n)Z has additive order ϕ(n)
if and only if it is coprime to ϕ(n) There are ϕ(ϕ(n)) such elements, asclaimed
Example 2.5.10 For example, there are ϕ(ϕ(17)) = ϕ(16) = 24− 23 =
8 primitive roots mod 17, namely 3, 5, 6, 7, 10, 11, 12, 14 The ϕ(ϕ(9)) =ϕ(6) = 2 primitive roots modulo 9 are 2 and 5 There are no primitiveroots modulo 8, even though ϕ(ϕ(8)) = ϕ(4) = 2 > 0
2.5.3 Artin’s Conjecture
Conjecture 2.5.11 (Emil Artin) Suppose a ∈ Z is not −1 or a perfectsquare Then there are infinitely many primes p such that a is a primitiveroot modulo p
There is no single integer a such that Artin’s conjecture is known to
be true For any given a, Pieter [Mor93] proved that there are infinitelymany p such that the order of a is divisible by the largest prime factor
of p − 1 Hooley [Hoo67] proved that something called the GeneralizedRiemann Hypothesis implies Conjecture 2.5.11